How to implement consent for your council under GDPR

A new service from KnowNow Information, Consentua, helps organisations build citizen trust as required under General Data Protection Regulations (GDPR). It provides data processing transparency and gives citizens the choice and control needed to share data safely and comfortably.

Consentua – privacy and consent service

Consentua captures users’ consent to the use of their personal data. It provides GDPR compliance to organisations that process data. It also allows individuals to control how their personal data is being used.

You can now sign up to Consentua via CC2i, the collaborative government services co-funding platform at

What is Consentua?

Consentua is a consent management system from KnowNow Information that helps organisations to achieve GDPR’s data protection compliance. It also gives individuals choice and control over how their personal data is used.

The two founders of KnowNow Information, David Patterson and Chris Cooper, both previously worked for IBM. They were both experienced in creating new services using an agreed exchange of personal information. The industry, however, experienced a slow reduction in the number of people signing up for services due to privacy concerns.

Richard Gomer, from Southampton University, one of the leading authorities on privacy and consent, was brought on board. Richard worked out exactly what would be required to capture consent from users that would be actionable for customer organisations.

PDTN.org

Working alongside the European Commission as well as the UK Digital Catapult’s Personal Data and Trust Network, Consentua was developed according to security standards such as ISO 27001 and agreed industry best practice.

In June 2016, after a lengthy competition, Consentua won an InnovateUK competition for a pilot deployment, working alongside the organisation SharingEconomyUK and it’s members. This project is ongoing.

How does it work?

Consentua’s dynamic tokens, coupled with a user-friendly dashboard, allow consent to be queried, changed and even revoked.

Your Consent Record

Firstly an organisation that subscribes to the Consentua service will complete a Consent Template. The template states what consents are required and what data will be necessary to capture from the users. The applications that the organisation wants to enable with Consentua will then be given access to the service and a token is provided for each application and user of that application.

The user of an app needs to briefly set up their own individual consent profile for each application which uses personal data. This consent profile is easily captured within the application itself via the settings menu.

Once the consent profile for the app is captured, the Consentua token is populated on the user’s device. It will work even whilst offline, as the token is stored on the device and managed by the application.

The user story

Consentua Dashboard

When using the application, the user has the opportunity to review their consent settings. If a task requires access to their personal data then GDPR dictates the app validates that user consent has been granted. The Consentua record is requested by the application and, using the user’s email address as the common identifier, the app uses the Consentua API to confirm consent to access.

The previous consent setting is inherited should connectivity be poor or unavailable. This allows the app to carry on working without grinding to a halt, and the consent will be reviewed once connectivity is restored.

Users have access to a standalone dashboard app that provides a view as to which application providers have access to their data and what data is being collected. They will also receive a description of the benefits and services that provider is giving that specific user.

Your application managers can access an audit of consent by each user via a report run against the Consentua audit database. They will only see their apps consent audit trail. No personal data will be identifiable by your application managers.

How does it improve trust?

Firstly, trust is improved because the consumer always has a choice. With Consentua integrated into existing services, the consumer will always be aware when personal data is being requested. The consumer will also be provided with the ability to deny consent to that information.

Consentua screen shot

Secondly, the consumer has control over the level of personal data available to a service. Previously, there was often only a binary decision to be made when signing up to a new service. “Do I agree to the service provider using all of my personal data in exchange for using their service or do I not agree and therefore lose the ability to use the service?” Consentua makes it explicit what data would be required, what you will get for the use of that data. Crucially it also alerts to what additional services the user might receive if they provide more personal data.

When it goes wrong it is often very unpleasant. In September 2016, Seagate was subjected to data theft which led to them being sued by their own employees. The employees had no control over what data the company kept on file and had not provided consent for some of the stolen data to be stored. It was found that personal information including names, addresses and social security numbers had been taken

What are the benefits to the citizen?

Consentua gives individual data subjects control over their personal data, allowing them to feel safe when engaging with digital services.

The ability to decide whether to accept a service and how much data to provide in exchange will revolutionise how citizens interact with those services. Some citizens will likely prefer to provide the bare minimum data because they do not see additional value in a more comprehensive service. Some are likely to become ‘superusers’, more than willing to exchange their personal information for the services because they identify great value in the services they subscribe to.

These super-users would be far more likely to be advocates for your services. They would become a segment of customers that could be worked with on developing future services or in marketing.

There’s also the likelihood that citizens would take opportunities to get value for information that would be shared anyway. It is anticipated that retailers will be quick to use these technologies and that may well inspire citizens to seek out other such opportunities from their public sector service providers.

What are the benefits to my organisation?

When it comes to complying with the new GDPR requirements around data-subject consent, Consentua could be your secret weapon. Collect and record consent with tested interaction mechanisms, query consent in real-time to detect revocation and use the provided audit trails to demonstrate the consent that your organisation relies on.

Recently, many online services have reported a decline in the number of potential users as they are asked to accept terms and conditions. Similar effects have been seen when cookie consent has been requested. Consentua allows your potential user to choose the level of personal data that they allow you to consume. It also allows you to tailor your service according to the degree of access your customer provides.

Accusations of acting like ‘big brother’ are often levelled at services that provide innovative services using personal data. Improvements in the perception of openness through the consent receipt should lead to a reduction in suspicion of ‘big brother’ when dealing with customers or citizens at large.

What would I need to commit?

Any authority considering deployment of Consentua would need to make two commitments as well as subscribing to the service.

Your developers should be more than happy to do this

Firstly, the authority would need to provide access to an estimated 1 person for 1 day to provide the information needed to work with our team and create the Consent Template.

Secondly, your development team will need to spend an estimated half day to work with our deployment team to integrate into your existing systems

What can I expect?

The first part of the engagement will provide you with a completed Consent Template. This will be valid and usable for all systems that require the use of personal data and help your business to conform to the General Data Protection Regulations. It will not be limited to Consentua enabled applications.

Consentua will be enabled to be integrated into your existing chosen services. This will give you the auditable consent receipts for the interactions with your users. Similarly, the service will be able to be integrated into applications that citizens use to interact with your authority.

Your citizens will have access to a separate Consent control application. This will be available via the normal app stores. It will enable them to amend their choices and see which applications they have consented to use their personal information. It will also control the level of data each application consumes.

How Consentua answers GDPR

Consentua helps organisations to build citizen trust as required under General Data Protection Regulations (GDPR) by providing data processing transparency. It also gives data subjects the choice and control that they need in order to share data safely and comfortably.

The idea of breaking something and fixing it, learning about functionality whilst looking to adapt and improve has always appealed to me. I've brought this idea to KnowNow Information so we can look to help you to improve on your data management.